Fluix provides all the necessary tools, required for compliance with HIPAA regulations.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996, which amends the Internal Revenue Service Code of 1986. This law impacts all areas of the healthcare industry and is designed to improve the portability and continuity of health benefits. It calls for greater accountability in the area of healthcare, simplification of the administration of health insurance, and placement of administrative, technical and physical safeguards to protect confidential health information of patients.
More specifically, HIPAA requires healthcare providers to adopt sound practices for protecting the confidentiality of all patient information in any form. More information around HIPAA can be found here: http://www.hhs.gov/ocr/privacy/index.html
What is the HITECH Act and the Final HIPAA Omnibus rule?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, to promote the adoption and meaningful use of health information technology in the U.S.
In 2013, the final HIPAA Omnibus rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of Protected Health Information (PHI) — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as Covered Entities under HIPAA.
How does Fluix facilitate HIPAA compliance for its customers?
All businesses, regardless of their size, which engage in the handling, maintenance, storage or exchange of private health or patient-related information, are subject to HIPAA. As your technology partner, Fluix is committed to ensure the confidentiality, integrity and availability of all protected electronic information. While we do not sign BAAs, the track record demonstrates an ongoing investment in security, compliancy and control for our customers.
Paperless Document Management in Healthcare
More and more often doctors and medical professionals prefer switching to paperless environment and get their practices online (e.g. use electronic prescriptions, set up web appointments, practice remote medicine, which is getting trendy in the tightening medical market). Such switch to mobile includes sharing electronic files with protected health information with patients and collecting similar private data from them using mobile devices. The Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document for the use of computers and patient privacy when dealing with patient data and information. These standards ensure that data is transmitted on a standard that patient privacy and information is secure and within guidelines established for this act.
Impact of HIPAA on Fluix
Fluix offers a secure way to store content, including protected health information (PHI), and improves collaboration around it via various communication channels. All elements of the platform, such as built-in cloud storage, secure connection to the server, and iPad / iPhone / Web applications support security and privacy requirements of the HIPAA regulations. Security standards include administrative, physical and technical safeguards, with the latter being the only applicable to Fluix service. Technical Safeguards include processes that are put in place to protect and control information access and data that is stored and transmitted over a communications network. The chart below provides the summary of HIPAA requirements and how they can be supported by Fluix to create a fully secure digitized environment for healthcare organizations. Each set of safeguards has particular standards that require implementation mechanisms, which are either required (R) or addressable (A). An Implementation Mechanism is a detailed instruction for the service compliance with particular HIPAA Security Rule standard.
HIPAA Security Standards and Implementation Specifications
(R) – required, (A) – addressable
Access Controls (R)
• Unique User Identification (R)
• Emergency Access Procedure (R)
• Encryption & Decryption (A)
Audit Controls (R)
• Notification and Archiving (R)
• Mechanism to Authenticate ePHI (A)
Transmission Security (R)
• Encryption (A)
There is no unified way to achieve HIPAA security compliance for any given service. It is not enough to have a single piece of hardware, software, or process in place. All IT technologies and processes must be working accordingly, to create a completely secure environment. Prior to enforcing any particular process within the service, full risk assessment within the technological environment should be completed.
The following outlines the general processes used to protect data and to control access to ePHI. They include authentication controls to verify sign-ons and transfer security (encryption) to protect confidentiality and integrity of data.
Access Control (R)
Implement policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.
Unique User Identification (R)
REQUIREMENT: Assign a unique name and/or number for identifying and tracking user identity entity.
Each user within Fluix company account has his/her own login credentials to authorize into the application on their device. Based on a particular role (company admin, group admin, messenger, user) unique login, password and device ID are associated with each person and depending on these they are granted access to only particular areas/parts of the account, hence to the information within it. In case additional layer of security is required to access company web administration portal with all the company configurations, the admins can be required to go through two-factor authentication, when they will also be associated with particular phone numbers on which random codes will be sent when accessing the portal.
Emergency Access Procedure (R)
REQUIREMENT: Establish and implement procedures for obtaining necessary ePHI during an emergency.
Company storage: if all sensitive information is stored on the organization servers / storages, it is up to in-house team to implement Emergency Access Procedures. Most of the time, it is easy to set up data retrieval, update and renewal.
Built-in storage: if sensitive company information is stored in built-in storage, it is redundantly backed up and can be manually restored from the hosting environment upon written request to technical support team. The turnaround time is defined by Service Level Agreement and has default value of 1 business day.
Mobile apps (Mobile apps refer to iPad / iPhone / Web applications): all the master documents/forms that are distributed to the mobile app are normally delivered using automatically synchronized and backed up methods. In case of emergency, such as device loss, they can be retrieved from the server. Files stored locally on the iPad / iPhone can be backed up via iCloud, retrieved via programs like iTunes and iExplorer, sent by email or uploaded storage as means of back up.
Audit Control (R)
Implement hardware, software, and/or procedural mechanisms that record and examine activity in any system that contains or uses ePHI.
Notification and Archiving (R)
REQUIREMENT: Procedures and/or mechanisms should be put in place to track and record activity on systems containing ePHI and customer data.
Web Admin portal: messages and notifications can be pushed to the iPads / iPhone on any updates within the account. There are also indicators that display when the application was last synchronized / updated and whether a pushed message or a document was delivered. Every document traveling through the workflow leaves audit trail of all the edits, that can be reviewed by company administrator with sufficient privileges. Each record includes document author, status, date and time of modification, and the actual changes made.
Mobile apps: every time messages, documents and links are pushed to the app, users receive notifications. Every automatic synchronization, which updates the content on the device is accompanied by additional notifications.
Implement policies and procedures to protect ePHI from improper alternation and destruction.
Mechanism to Authenticate ePHI (A)
REQUIREMENT: Implement electronic mechanisms to corroborate that ePHI have not been altered.
Web Admin portal: documents travelling through the workflows are tightly encapsulated, and as such cannot be edited, copied or forwarded, unless explicitly authorised, thus protecting the integrity of the document and preventing harmful unnecessary data modification or exposure.
Mobile apps: documents with a signature field are sealed with a digital certificate. Any subsequent change to the document will result in the signature being invalidated. ‘Completed’ section could be configured in a way that disallow further modification of the document after completion, providing a record of achieving the goal of automated medical process.
Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communication network.
Encryption and Decryption (A)
REQUIREMENT: Implement protection of dataat-rest and data-in-motion.
Fluix service uses a combination of Secure Sockets Layer (SSL) protocol to create a uniquely encrypted channel for private communication of healthcare data in motion.
Mobile document management and paperless workflows will continue to grow at a fast, consistent pace in the years to come. Fluix as a flexible and mobile document management solution created a great system for the healthcare sector that provides an easy-to-use, cost-effective and extremely secure iOS platform. Fluix answers the following requirements to be a HIPAAcompliant solution:
• Transport Encryption: is always encrypted as it is transmitted over the Internet
• Backup: data is never lost as it’s backed up on the servers and can be recovered
• Authorization: is only accessible by authorized personnel using unique, audited access controls
• Integrity: is not tampered with or altered
• Storage Encryption: is encrypted when stored or archived
• Disposal: can be permanently disposed of when no longer needed
• Omnibus/HITECH: data is hosted in-house or on the Amazon S3 servers that meet HIPAA security requirements.